Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <293784971.999861256328961039.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com>
Date: Fri, 23 Oct 2009 16:16:01 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: kvm: integer overflow in
 kvm_dev_ioctl_get_supported_cpuid()

Please use CVE-2009-3638 for this.

Thanks.

-- 
    JB


----- "Eugene Teo" <eugeneteo@...nel.sg> wrote:

> Quote from the upstream commit:
> "The number of entries is multiplied by the entry size, which can 
> overflow on 32-bit hosts.  Bound the entry count instead."
> 
>    if (cpuid->nent < 1)
>     goto out;
> + if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
> +  cpuid->nent = KVM_MAX_CPUID_ENTRIES;
>    r = -ENOMEM;
>    cpuid_entries = vmalloc(sizeof(struct kvm_cpuid_entry2) *
> cpuid->nent);
>    if (!cpuid_entries)
> 
> This one can be triggered if /dev/kvm is user accessible (which is
> recommended...). This was introduced in v2.6.25-rc1, and fixed in 
> v2.6.32-rc4. Only on 32-bit host.
> 
> References:
> http://git.kernel.org/linus/0771671749b59a507b6da4efb931c44d9691e248
> http://git.kernel.org/linus/6a54435560efdab1a08f429a954df4d6c740bddf
> https://bugzilla.redhat.com/show_bug.cgi?id=530515
> 
> Thanks, Eugene

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.